Maintained by: NLnet Labs

[Unbound-users] allowing cache queries but not doing recursion for "foreign" networks

Greg A. Woods; Planix, Inc.
Sun Feb 15 20:47:20 CET 2009

On 15-Feb-2009, at 1:28 PM, Ondřej Surý wrote:

>>>> Cache snooping lets anyone see who you've been talking to, when you
>>>> looked
>>>> it up, and when the cache will expire.
>>> cache snooping can also facilitate amplification attacks, see RFC  
>>> 5358.
>> No, not without recursion enabled it can't.
> Yes, it can. Just spoof query to something which is already in cache
> (like root servers).

RFC 5358 describes an attack which effectively requires the nameserver  
to perform a recursive lookup for the queries that are part of the  
attack.  To quote the RFC:

	"DNS authoritative servers that do not provide recursion to clients
    can also be used as amplifiers; however, the amplification potential
    is greatly reduced when authoritative servers are used."

	"This document's recommendations are
    concerned with recursive nameservers only."

I.e. if recursion is _not_ performed for any "foreign" queries then  
nobody outside of the networks "trusted" by the caching nameserver can  
succeed at this attack any more than they could succeed at using _any_  
and _every_ authoritative nameserver "normally".

I guess what I'm suggesting is something like this, which of course is  
not quite possible yet with unbound:

	# "trusted" networks can do recursive and non-recursive queries
	access-control: 127/8 allow_snoop
	access-control: 10/8 allow_snoop
	access-control: 172.16/16 allow_snoop
	access-control: 192.168/16 allow_snoop
	access-control: N.N.N.N/24 allow_snoop	# site's public IP space

	# everyone else can only do non-recursive queries of "public" data
	access-control: 0/0 snoop_public

					Greg A. Woods; Planix, Inc.
					<woods at>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <>